Tactics, Techniques, and Procedures

Dr. Greg Bernstein

March 9th, 2021

Adversary Behaviors

Tactics, Techniques, and Procedures (TTPs)

From TTPs Within Cyber Threat Intelligence

“patterns of activities or methods associated with a specific threat actor or group of threat actors”

When an incident does happen, related TTPs help establish potential attribution and an attack framework. This can sometimes aid a team in identifying valuable data such as likely vectors and payloads as well as command and control infrastructure (C2).

TTP Models

  • Cyber Kill Chain Model (LockeedMartin)
  • ATT&CK® (Mitre)
  • Penetration Testing Models will be covered later

Cyber Kill Chain Model

References

Advanced Persistent Threats (APT)

From Wikipedia: APT

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals.

APT Ingredients

From Wikipedia: APT

  • Advanced: Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state.

  • Persistent: Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.

Military Kill Chain

U.S. Department of Defense, 2007 (F2T2EA)

  • Find adversary targets suitable for engagement;
  • Fix their location;
  • Track and observe;
  • Target with suitable weapon or asset to create desired effects;
  • Engage adversary (kill);
  • Assess effects.

Cyber Kill-Chain (Lockheed-Martin) 1

  1. Reconnaissance: Research, identification and selection of targets…
  2. Weaponization: Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer)…
  3. Delivery: Transmission of the weapon to the targeted environment.

Cyber Kill-Chain (Lockheed-Martin) 2

  1. Exploitation: After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.

  2. Installation: Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.

Cyber Kill-Chain (Lockeed-Martin) 3

  1. Command and Control (C2): Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have “hands on the keyboard” access inside the target environment.

  2. Actions on Objectives: Only now can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment;

Why: Courses of Action

From Kill-chain PDF

The intrusion kill chain becomes a model for actionable intelligence when defenders align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise. Defenders can measure the performance as well as the effectiveness of these actions, and plan investment road maps to rectify any capability gaps.

The Five Ds

  • Detect
  • Deny
  • Disrupt
  • Degrade
  • Deceive (or Destroy)

Kill chain and the Ds

Kill Chain Matrix

Acronyms from Chart

  • AV: Anti Virus
  • HIDS: Host (based) Intrusion Detection System
  • NIDS: Network Intrusion Detection System
  • NIPS: Network Intrusion Prevention System

MITRE ATT&CK ®

ATT&CK References

What is it?

From MITRE ATT&CK®: Design and Philosophy

MITRE ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target. ATT&CK focuses on how external adversaries compromise and operate within computer information networks.

Main use cases

ATT&CK = Adversary Tactics, Techniques and Common Knowledge

  • threat intelligence: What TTPs have been used against organizations like yours
  • detection and analytics: Use to look for suspicious behaviors
  • adversary emulation and red teaming: Mimic adversary’s TTPs when testing
  • assessment and engineering

ATT&CK Web Pages

ATT&CK Tactics 1

From Enterprise Tactics Page

  • Reconnaissance: The adversary is trying to gather information they can use to plan future operations.

  • Resource Development: The adversary is trying to establish resources they can use to support operations.

  • Initial Access: The adversary is trying to get into your network.

  • Execution: The adversary is trying to run malicious code.

ATT&CK Tactics 2

From Enterprise Tactics Page

  • Persistence: The adversary is trying to maintain their foothold.

  • Privilege Escalation: The adversary is trying to gain higher-level permissions.

  • Defense Evasion: The adversary is trying to avoid being detected.

  • Credential Access: The adversary is trying to steal account names and passwords.

ATT&CK Tactics 3

From Enterprise Tactics Page

  • Discovery: The adversary is trying to figure out your environment.

  • Lateral Movement: The adversary is trying to move through your environment.

  • Collection: The adversary is trying to gather data of interest to their goal.

  • Command and Control: The adversary is trying to communicate with compromised systems to control them.

ATT&CK Tactics 4

From Enterprise Tactics Page

  • Exfiltration: The adversary is trying to steal data.

  • Impact: The adversary is trying to manipulate, interrupt, or destroy your systems and data.

Comparison of CTI Models

From MITRE ATT&CK ®: Design and Philosophy

CTI Models

Example Use #1A

Operation Dianxun - CN espionage campaign targeting telecommunication companies - AlienVault

ATTCK Example

Example Use #1B

Portion of STIX file from Operation Dianxun - CN espionage campaign targeting telecommunication companies - AlienVault

{
    "type": "attack-pattern",
    "spec_version": "2.1",
    "id": "attack-pattern--85e864e1-5dd0-4065-964d-05df90defd98",
    "created": "2021-03-16T17:09:49.252Z",
    "modified": "2021-03-16T17:09:49.252Z",
    "name": "Scheduled Task/Job",
    "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).",
    "kill_chain_phases": [
        {
            "kill_chain_name": "mitre-attack",
            "phase_name": "execution"
        },
        {
            "kill_chain_name": "mitre-attack",
            "phase_name": "persistence"
        },
        {
            "kill_chain_name": "mitre-attack",
            "phase_name": "privilege-escalation"
        }
    ],
    "external_references": [
        {
            "source_name": "mitre-attack",
            "url": "https://attack.mitre.org/techniques/T1053",
            "external_id": "T1053"
        },
        {
            "source_name": "capec",
            "url": "https://capec.mitre.org/data/definitions/557.html",
            "external_id": "CAPEC-557"
        },
        {
            "source_name": "TechNet Task Scheduler Security",
            "description": "Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.",
            "url": "https://technet.microsoft.com/en-us/library/cc785125.aspx"
        }
    ]
},

Example Use 1C Threat Actor

Portion of STIX file from Operation Dianxun - CN espionage campaign targeting telecommunication companies - AlienVault

{
    "type": "threat-actor",
    "spec_version": "2.1",
    "id": "threat-actor--a243e69e-c2fe-4b1b-bedf-493b30198c86",
    "created": "2021-03-16T17:09:49.252Z",
    "modified": "2021-03-16T17:09:49.252Z",
    "name": "Mustang Panda",
    "description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.\nIn April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX.\nRecently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.",
    "aliases": [
        "BRONZE PRESIDENT",
        "HoneyMyte",
        "Red Lich"
    ],
    "labels": [
        "activist"
    ],
    "external_references": [
        {
            "source_name": "MISP Threat Actor list",
            "url": "https://www.cfr.org/interactive/cyber-operations/mustang-panda"
        },
        {
            "source_name": "MISP Threat Actor list",
            "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/"
        },
        {
            "source_name": "MISP Threat Actor list",
            "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
        },
        {
            "source_name": "MISP Threat Actor list",
            "url": "https://www.secureworks.com/research/threat-profiles/bronze-president"
        }
    ]
    },

Example Use 1D Threat Actor

From Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA 2018

Mustang Panda

Example Use 2

Lemon Duck brings cryptocurrency miners back into the spotlight, October 2020

ATTCK Example 2
// reveal.js plugins